valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
66aaa2210c
SigmaHQ/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml
mvelazco d8aa0ae124 adding references
2021-06-03 23:38:10 -04:00

27 lines
867 B
YAML
Raw Blame History

title: Multiple Users Attempting To Authenticate Using Explicit Credentials
id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9
description: Detects a source user failing to authenticate with multiple users using explicit credentials on a host.
author: Mauricio Velazco
date: 2021/06/01
references:
- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
tags:
- attack.t1110.003
- attack.initial_access
- attack.privilege_escalation
logsource:
product: windows
service: security
detection:
selection1:
EventID: '4648'
timeframe: 24h
condition:
- selection1 | count(Account_Name) by ComputerName > 10
falsepositives:
- Terminal servers
- Jump servers
- Other multiuser systems like Citrix server farms
- Workstations with frequently changing users
level: medium
Reference in New Issue View Git Blame Copy Permalink